The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it reached a $750,000 settlement with Raleigh Orthopaedic Clinic, P.A. The Raleigh, North Carolina-based provider group practice runs several clinics and an orthopaedic surgery center. The settlement was reached after the protected health information (PHI) of 17,300 patients was unlawfully transmitted to a Business Associate (BA) without having executed a proper Business Associate Agreement (BAA).

Under HIPAA, Covered Entities (CEs) are prohibited from disclosing PHI to BAs without a BAA in place that outlines the necessary safeguards that need to be maintained during the use or transmission of PHI.

OCR began its investigation of Raleigh Othopaedic after a breach was reported in 2013. The investigation revealed that Raleigh Orthopaedic had disclosed the x-rays and associated PHI of 17,300 patients to an organization that was hired to digitize the images. Raleigh Orthopaedic failed to execute a BAA, and in doing so exposed their patients’ PHI to the BA they were working with.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director, Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

Raleigh Orthopaedic is expected to pay a $750,000 settlement and revise its policies and procedures, specifically in regard to hiring and vetting BAs and executing BAAs.

Doctors and CEs who do business with digitizing and electronic storage services need to take specific measures to ensure that their patients’ privacy is being maintained at all times. Any time a CE pays a service to handle PHI, they are engaging with a BA and are beholden to the full extent of the HIPAA Privacy Rule, as well as the rest of federal regulations surrounding the use and disclosure of PHI.

Need Help with HIPAA?

Let our complete HIPAA solution handle it.